Over 20 million passwords from the world’s biggest companies exposed on dark web

When a database is left exposed on the Internet, two things can happen: the companies that control them detect the flaws and secure them, or instead, hackers could find them first, exposing millions of data. When the second case is presented, data protection experts mention that it is common for the exposed information to end up in some dark web forum, as is the last reported case, involving more than 21 million accounts belonging to the Fortune 500 list companies.

To be accurate, these exposed databases contain a total of 21, 040, 296 accounts (including usernames and passwords). Over 90% of these passwords have already been cracked by hackers, so they are available in plain text.

Most of the hacked accounts belong to companies in technology and financial sectors, and it has been found that a significant portion of the databases is updated, as the older accounts would have been created less than twelve months ago, data protection experts report.

A sample with the most commonly used passwords

Using machine learning tools, researchers were able to eliminate fake leaks, duplicate registrations, and default passwords, discovering a total of 4.9 million authentic accounts. The rest of the leaked records are fake, outdated, or belong to previous data breach incidents.

A worrying finding is that regardless of the type of company or the range of employees, the passwords used are extremely weak. “More than 40% of the compromised accounts used the company name (with minimal variations) as a password,” the experts mention.

Out of the samples collected by experts, it is possible to conclude that retailers are much more prone to the use of weak passwords than other sectors; however, security in other sectors is not much better, as almost half of the passwords exposed could have been cracked in less than a minute.

Data protection experts from the International Institute of Cyber Security (IICS) mention that data from this massive leak will soon be available for consultation on the specialized platform Have I Been Pwned, where concerned users they will be able to check the status of their business email accounts.